From b7bfb0bfae10b314c736896498317136eb2062da Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sun, 1 Mar 2026 15:52:36 -0800
Subject: [PATCH] Fix authentik container: set TMPDIR=/tmp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

lifecycle/ak uses ${TMPDIR}/authentik-mode — without TMPDIR set it
tries to write /authentik-mode in root, which user 65534 can't do.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 containers/authentik/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/containers/authentik/default.nix b/containers/authentik/default.nix
index e1d2773..7d5a976 100644
--- a/containers/authentik/default.nix
+++ b/containers/authentik/default.nix
@@ -66,6 +66,7 @@ pkgs.dockerTools.buildLayeredImage {
     Env = [
       "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
       "TZDIR=${pkgs.tzdata}/share/zoneinfo"
+      "TMPDIR=/tmp"
       "AUTHENTIK_BLUEPRINTS_DIR=/blueprints"
     ];
     ExposedPorts = {